diff options
author | Stephen Beaver <sbeaver@netgate.com> | 2016-01-13 12:53:17 -0500 |
---|---|---|
committer | Stephen Beaver <sbeaver@netgate.com> | 2016-01-13 12:53:45 -0500 |
commit | 1716852ac3f818dc9fb22f3e4f7eb4301296a3c0 (patch) | |
tree | 86c5ee0c7f847fb8cf80198dd6cce17641257052 | |
parent | 471e7c3ac7276568c0fea726d699fb63dd87d3eb (diff) | |
download | pfsense-1716852ac3f818dc9fb22f3e4f7eb4301296a3c0.zip pfsense-1716852ac3f818dc9fb22f3e4f7eb4301296a3c0.tar.gz |
Fixed #3887
-rw-r--r-- | src/etc/inc/filter.inc | 33 | ||||
-rw-r--r-- | src/usr/local/www/firewall_nat_1to1.php | 3 | ||||
-rw-r--r-- | src/usr/local/www/firewall_nat_1to1_edit.php | 9 |
3 files changed, 31 insertions, 14 deletions
diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index 5e0e057..7ab1ef7 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -1863,22 +1863,27 @@ function filter_nat_rules_generate() { $natif = $FilterIflist[$natif]['if']; - /* - * If reflection is enabled, turn on extra redirections - * for this rule by adding other interfaces to an rdr rule. - */ - if ((isset($config['system']['enablebinatreflection']) || $rule['natreflection'] == "enable") && - ($rule['natreflection'] != "disable")) { - $nat_if_list = filter_get_reflection_interfaces($natif); + if (isset($rule['nobinat'])) { + $natrules .= "nobinat on {$natif} from {$srcaddr} to {$dstaddr} -> {$target}{$sn1}\n"; } else { - $nat_if_list = array(); - } + /* + * If reflection is enabled, turn on extra redirections + * for this rule by adding other interfaces to an rdr rule. + */ + if ((isset($config['system']['enablebinatreflection']) || $rule['natreflection'] == "enable") && + ($rule['natreflection'] != "disable")) { + $nat_if_list = filter_get_reflection_interfaces($natif); + } else { + $nat_if_list = array(); + } + + $natrules .= "binat on {$natif} from {$srcaddr} to {$dstaddr} -> {$target}{$sn1}\n"; - $natrules .= "binat on {$natif} from {$srcaddr} to {$dstaddr} -> {$target}{$sn1}\n"; - if (!empty($nat_if_list)) { - $binat_if_list = implode(" ", $nat_if_list); - $binat_if_list = "{ {$binat_if_list} }"; - $reflection_txt .= "rdr on {$binat_if_list} from {$dstaddr} to {$target}{$sn1} -> {$srcaddr} bitmask\n"; + if (!empty($nat_if_list)) { + $binat_if_list = implode(" ", $nat_if_list); + $binat_if_list = "{ {$binat_if_list} }"; + $reflection_txt .= "rdr on {$binat_if_list} from {$dstaddr} to {$target}{$sn1} -> {$srcaddr} bitmask\n"; + } } $nat_if_list = array_merge(array($natif), $nat_if_list); diff --git a/src/usr/local/www/firewall_nat_1to1.php b/src/usr/local/www/firewall_nat_1to1.php index 4875f1f..071e27d 100644 --- a/src/usr/local/www/firewall_nat_1to1.php +++ b/src/usr/local/www/firewall_nat_1to1.php @@ -209,6 +209,9 @@ display_top_tabs($tab_array); <td> <a href="?act=toggle&id=<?=$i?>"> <i class="fa <?= ($iconfn == "pass") ? "fa-check":"fa-times"?>" title="<?=gettext("click to toggle enabled/disabled status")?>"></i> +<?php if (isset($natent['nobinat'])) { ?> + <i class="fa fa-hand-paper-o text-danger" title="<?=gettext("Negated: This rule excludes a NAT from a later rule")?>"></i> +<?php } ?> </a> </td> <td> diff --git a/src/usr/local/www/firewall_nat_1to1_edit.php b/src/usr/local/www/firewall_nat_1to1_edit.php index 7e76b35..e747e15 100644 --- a/src/usr/local/www/firewall_nat_1to1_edit.php +++ b/src/usr/local/www/firewall_nat_1to1_edit.php @@ -103,6 +103,7 @@ if (isset($_GET['dup'])) { } if (isset($id) && $a_1to1[$id]) { + $pconfig['nobinat'] = isset($a_1to1[$id]['nobinat']); $pconfig['disabled'] = isset($a_1to1[$id]['disabled']); address_to_pconfig($a_1to1[$id]['source'], $pconfig['src'], @@ -236,6 +237,7 @@ if ($_POST) { if (!$input_errors) { $natent = array(); + $natent['nobinat'] = isset($_POST['nobinat']) ? true:false; $natent['disabled'] = isset($_POST['disabled']) ? true:false; $natent['external'] = $_POST['external']; $natent['descr'] = $_POST['descr']; @@ -393,6 +395,13 @@ $form = new Form(new Form_Button( $section = new Form_Section('Edit NAT 1 to 1 entry'); $section->addInput(new Form_Checkbox( + 'nobinat', + 'Negate', + 'This rule will be excluded from the NAT', + $pconfig['nobinat'] +))->setHelp('Use this to exclude addresses from from a rule that follows this one'); + +$section->addInput(new Form_Checkbox( 'nordr', 'No RDR (NOT)', 'Disable redirection for traffic matching this rule', |